Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]

From: Lewis Watson (lists_at_visionsix.com)
Date: 08/05/03

  • Next message: Michael Collette: "Re: Kerberos in the handbook"
    To: <security-advisories@freebsd.org>
    Date: Tue, 5 Aug 2003 11:58:33 -0500
    
    

    > NOTE WELL: Any statically linked applications that are not part of
    > the base system (i.e. from the Ports Collection or other 3rd-party
    > sources) must be recompiled.
    >
    > All affected applications must be restarted for them to use the
    > corrected library. Though not required, rebooting may be the easiest
    > way to accomplish this.
    >

    I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications
    need to be patched and how do I make sure that the above noted statically
    linked applications are patched after I am done?
    Thanks a bunch!
    Lewis

    ----- Original Message -----
    From: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
    To: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
    Sent: Tuesday, August 05, 2003 7:02 AM
    Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    ==========================================================================
    ===
    > FreeBSD-SA-03:08.realpath Security
    Advisory
    > The FreeBSD
    Project
    >
    > Topic: Single byte buffer overflow in realpath(3)
    >
    > Category: core
    > Module: libc
    > Announced: 2003-08-03
    > Credits: Janusz Niewiadomski <funkysh@isec.pl>,
    > Wojciech Purczynski <cliph@isec.pl>,
    > CERT/CC
    > Affects: All releases of FreeBSD up to and including 4.8-RELEASE
    > and 5.0-RELEASE
    > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
    > Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0)
    > 2003-08-03 23:43:43 UTC (RELENG_4_8)
    > 2003-08-03 23:44:12 UTC (RELENG_4_7)
    > 2003-08-03 23:44:36 UTC (RELENG_4_6)
    > 2003-08-03 23:44:56 UTC (RELENG_4_5)
    > 2003-08-03 23:45:41 UTC (RELENG_4_4)
    > 2003-08-03 23:46:03 UTC (RELENG_4_3)
    > 2003-08-03 23:47:39 UTC (RELENG_3)
    > FreeBSD only: NO
    >
    > 0. Revision History
    >
    > v1.0 2003-08-03 Initial release
    > v1.1 2003-08-04 Updated information for lukemftpd
    >
    > I. Background
    >
    > The realpath(3) function is used to determine the canonical,
    > absolute pathname from a given pathname which may contain extra
    > ``/'' characters, references to ``/./'' or ``/../'', or references
    > to symbolic links. The realpath(3) function is part of the FreeBSD
    > Standard C Library.
    >
    > II. Problem Description
    >
    > An off-by-one error exists in a portion of realpath(3) that computes
    > the length of the resolved pathname. As a result, if the resolved
    > path name is exactly 1024 characters long and contains at least
    > two directory separators, the buffer passed to realpath(3) will be
    > overwritten by a single NUL byte.
    >
    > III. Impact
    >
    > Applications using realpath(3) MAY be vulnerable to denial of service
    > attacks, remote code execution, and/or privilege escalation. The
    > impact on an individual application is highly dependent upon the
    > source of the pathname passed to realpath, the position of the output
    > buffer on the stack, the architecture on which the application is
    > running, and other factors.
    >
    > Within the FreeBSD base system, several applications use realpath(3).
    > Two applications which are negatively impacted are:
    >
    > (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
    > process the MLST and MLSD commands. The vulnerability may be
    > exploitable, leading to code execution with superuser privileges.
    >
    > lukemftpd(8) was installed (but not enabled) by default in
    > 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through
    > Nov 12 17:32:47 2002 UTC. It is not built or installed by default
    > in any other release.
    >
    > If the `-r' option to lukemftpd is used (as suggested by the
    > example /etc/inetd.conf supplied in 4.7-RELEASE), then successful
    > exploitation leads leads to code execution with the privileges of
    > the authenticated user (rather than superuser privileges).
    >
    > (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
    > chdir commands. This vulnerability may be exploitable, leading
    > to code execution with the privileges of the authenticated user.
    >
    > At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
    > the following applications which appear to use realpath(3). These
    > applications have not been audited, and may or may not be vulnerable.
    > There may be additional applications in the FreeBSD Ports Collection
    > that use realpath(3), particularly statically-linked applications and
    > applications added since 4.8-RELEASE.
    >
    > BitchX-1.0c19_1
    > Mowitz-0.2.1_1
    > XFree86-clients-4.3.0_1
    > abcache-0.14
    > aim-1.5.234
    > analog-5.24,1
    > anjuta-1.0.1_1
    > aolserver-3.4.2
    > argus-2.0.5
    > arm-rtems-gdb-5.2_1
    > avr-gdb-5.2.1
    > ccache-2.1.1
    > cdparanoia-3.9.8_4
    > cfengine-1.6.3_4
    > cfengine2-2.0.3
    > cmake-1.4.7
    > comserv-1.4.3
    > criticalmass-0.97
    > dedit-0.6.2.3_1
    > drweb_postfix-4.29.10a
    > drweb-4.29.2
    > drweb_sendmail-4.29.10a
    > edonkey-gui-gtk-0.5.0
    > enca-0.10.7
    > epic4-1.0.1_2
    > evolution-1.2.2_1
    > exim-3.36_1
    > exim-4.12_5
    > exim-ldap-4.12_5
    > exim-ldap2-4.12_5
    > exim-mysql-4.12_5
    > exim-postgresql-4.12_5
    > fam-2.6.9_2
    > fastdep-0.15
    > feh-1.2.4_1
    > ferite-0.99.6
    > fileutils-4.1_1
    > finfo-0.1
    > firebird-1.0.2
    > firebird-1.0.r2
    > frontpage-5.0.2.2623_1
    > galeon-1.2.8
    > galeon2-1.3.2_1
    > gdb-5.3_20030311
    > gdb-5.2.1_1
    > gdm2-2.4.1.3
    > gecc-20021119
    > gentoo-0.11.34
    > gkrellmvolume-2.1.7
    > gltron-0.61
    > global-4.5.1
    > gnat-3.15p
    > gnomelibs-1.4.2_1
    > gprolog-1.2.16
    > gracula-3.0
    > gringotts-1.2.3
    > gtranslator-0.43_1
    > gvd-1.2.5
    > hercules-2.16.5
    > hte-0.7.0
    > hugs98-200211
    > i386-rtems-gdb-5.2_1
    > i960-rtems-gdb-5.2_1
    > installwatch-0.5.6
    > ivtools-1.0.6
    > ja-epic4-1.0.1_2
    > ja-gnomelibs-1.4.2_1
    > ja-msdosfs-20001027
    > ja-samba-2.2.7a.j1.1_1
    > kdebase-3.1_1
    > kdelibs-3.1
    > kermit-8.0.206
    > ko-BitchX-1.0c16_3
    > ko-msdosfs-20001027
    > leocad-0.73
    > libfpx-1.2.0.4_1
    > libgnomeui-2.2.0.1
    > libpdel-0.3.4
    > librep-0.16.1_1
    > linux-beonex-0.8.1
    > linux-divxplayer-0.2.0
    > linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
    > linux-gnomelibs-1.2.8_2
    > linux-mozilla-1.2
    > linux-netscape-communicator-4.8
    > linux-netscape-navigator-4.8
    > linux-phoenix-0.3
    > linux_base-6.1_4
    > linux_base-7.1_2
    > lsh-1.5.1
    > lukemftpd-1.1_1
    > m68k-rtems-gdb-5.2_1
    > mips-rtems-gdb-5.2_1
    > mod_php4-4.3.1
    > moscow_ml-2.00_1
    > mozilla-1.0.2_1
    > mozilla-1.2.1_1,2
    > mozilla-1.2.1_2
    > mozilla-1.3b,1
    > mozilla-1.3b
    > mozilla-embedded-1.0.2_1
    > mozilla-embedded-1.2.1_1,2
    > mozilla-embedded-1.3b,1
    > msyslog-1.08f_1
    > netraider-0.0.2
    > openag-1.1.1_1
    > openssh-portable-3.5p1_1
    > openssh-3.5
    > p5-PPerl-0.23
    > paragui-1.0.2_2
    > powerpc-rtems-gdb-5.2_1
    > psim-freebsd-5.2.1
    > ptypes-1.7.4
    > pure-ftpd-1.0.14
    > qiv-1.8
    > readlink-20010616
    > reed-5.4
    > rox-1.3.6_1
    > rox-session-0.1.18_1
    > rpl-1.4.0
    > rpm-3.0.6_6
    > samba-2.2.8
    > samba-3.0a20
    > scrollkeeper-0.3.11_8,1
    > sh-rtems-gdb-5.2_1
    > sharity-light-1.2_1
    > siag-3.4.10
    > skipstone-0.8.3
    > sparc-rtems-gdb-5.2_1
    > squeak-2.7
    > squeak-3.2
    > swarm-2.1.1
    > tcl-8.2.3_2
    > tcl-8.3.5
    > tcl-8.4.1,1
    > tcl-thread-8.1.b1
    > teTeX-2.0.2_1
    > wine-2003.02.19
    > wml-2.0.8
    > worker-2.7.0
    > xbubble-0.2
    > xerces-c2-2.1.0_1
    > xerces_c-1.7.0
    > xnview-1.50
    > xscreensaver-gnome-4.08
    > xscreensaver-4.08
    > xworld-2.0
    > yencode-0.46_1
    > zh-cle_base-0.9p1
    > zh-tcl-8.3.0
    > zh-tw-BitchX-1.0c19_3
    > zh-ve-1.0
    > zh-xemacs-20.4_1
    >
    > IV. Workaround
    >
    > There is no generally applicable workaround.
    >
    > OpenSSH's sftp-server(8) may be disabled by editing
    > /etc/ssh/sshd_config and commenting out the following line by
    > inserting a `#' as the first character:
    >
    > Subsystem sftp /usr/libexec/sftp-server
    >
    > lukemftpd(8) may be replaced by the default ftpd(8).
    >
    > V. Solution
    >
    > 1) Upgrade your vulnerable system to 4.8-STABLE
    > or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
    > (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
    > dated after the respective correction dates.
    >
    > 2) To patch your present system:
    >
    > a) Download the relevant patch from the location below, and verify the
    > detached PGP signature using your PGP utility. The following patch
    > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
    > 5.0-RELEASE.
    >
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
    >
    > b) Apply the patch.
    >
    > # cd /usr/src
    > # patch < /path/to/patch
    >
    > c) Recompile your operating system as described in
    > <URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
    >
    > NOTE WELL: Any statically linked applications that are not part of
    > the base system (i.e. from the Ports Collection or other 3rd-party
    > sources) must be recompiled.
    >
    > All affected applications must be restarted for them to use the
    > corrected library. Though not required, rebooting may be the easiest
    > way to accomplish this.
    >
    > VI. Correction details
    >
    > The following list contains the revision numbers of each file that was
    > corrected in FreeBSD.
    >
    > Branch
    Revision
    > Path
    > - ----------------------------------------------------------------------

    ---
    > RELENG_3
    >   src/lib/libc/stdlib/realpath.c
    1.6.2.1
    > RELENG_4_3
    >   src/UPDATING
    1.73.2.28.2.32
    >   src/lib/libc/stdlib/realpath.c
    1.9.4.1
    >   src/sys/conf/newvers.sh
    1.44.2.14.2.22
    > RELENG_4_4
    >   src/UPDATING
    1.73.2.43.2.45
    >   src/lib/libc/stdlib/realpath.c
    1.9.6.1
    >   src/sys/conf/newvers.sh
    1.44.2.17.2.36
    > RELENG_4_5
    >   src/UPDATING
    1.73.2.50.2.44
    >   src/lib/libc/stdlib/realpath.c
    1.9.8.1
    >   src/sys/conf/newvers.sh
    1.44.2.20.2.28
    > RELENG_4_6
    >   src/UPDATING
    1.73.2.68.2.42
    >   src/lib/libc/stdlib/realpath.c
    1.9.10.1
    >   src/sys/conf/newvers.sh
    1.44.2.23.2.31
    > RELENG_4_7
    >   src/UPDATING
    1.73.2.74.2.14
    >   src/lib/libc/stdlib/realpath.c
    1.9.12.1
    >   src/sys/conf/newvers.sh
    1.44.2.26.2.13
    > RELENG_4_8
    >   src/UPDATING
    1.73.2.80.2.3
    >   src/lib/libc/stdlib/realpath.c
    1.9.14.1
    >   src/sys/conf/newvers.sh
    1.44.2.29.2.2
    > RELENG_5_0
    >   src/UPDATING
    1.229.2.14
    >   src/lib/libc/stdlib/realpath.c
    1.11.2.1
    >   src/sys/conf/newvers.sh
    1.48.2.9
    > - ----------------------------------------------------------------------
    ---
    >
    > VII.  References
    >
    > <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt>
    > <URL:http://www.kb.cert.org/vuls/id/743092>
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.2 (FreeBSD)
    >
    > iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w
    > xpJrfCeDU4qOs8q33dXSsvw=
    > =5z4e
    > -----END PGP SIGNATURE-----
    > _______________________________________________
    > freebsd-security-notifications@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
    > To unsubscribe, send any mail to
    "freebsd-security-notifications-unsubscribe@freebsd.org"
    >
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Michael Collette: "Re: Kerberos in the handbook"

    Relevant Pages

    • RE: IE in FreeBSD?
      ... was downloading PDF forms, filling them out locally, and saving them. ... and some Windows applications work just fine. ... > doing the Really Important Work are of course all FreeBSD. ... > data integrity on a notebook? ...
      (freebsd-questions)
    • Re: renaming of /tmp partition. Any adverse effect on OS
      ... The applications running under FreeBSD consider /home/app as the root ... FreeBSD hosts are being used for running our native applications. ... you are effectively disabling the required permissions on ... one host to check whether everything is fine or not. ...
      (comp.os.linux.setup)
    • Re: Convince me, please!
      ... familiar to the Unix OSes that are around. ... PS Try some googling or the freebsd official site for more resources. ... desktop users who have previously known only Windows. ... applications, including its most commonly used browser, office ...
      (freebsd-questions)
    • Re: Convince me, please!
      ... familiar to the Unix OSes that are around. ... PS Try some googling or the freebsd official site for more resources. ... users who have previously known only Windows. ... applications, including its most commonly used browser, office applicatiions ...
      (freebsd-questions)
    • Whats the thing? FreeBSD Security AdvisoryFreeBSD-SA-03:08.realpath (fwd)
      ... I downloaded the patch and said in /usr/src: ... The realpathfunction is part of the FreeBSD ... Applications using realpathMAY be vulnerable to denial of service ... In both of the cases above, the realpathvulnerability may be ...
      (freebsd-questions)